Supply Chain Attack

What Is a Supply Chain Attack?

Software development no longer takes place within a single organization. OSS libraries, CI/CD pipelines, package registries, code signing certificates — the entire path through which a product reaches end users constitutes the "supply chain," and attackers target the single most poorly defended point within it. What fundamentally distinguishes this from conventional attacks is that the victim organization is not directly compromised; instead, a trusted upstream provider is used as a stepping stone.

Why It Is Serious

Because attacks travel through legitimate distribution channels, they are vastly more difficult to detect than the common web application vulnerabilities identified by OWASP. Backdoors embedded in signed updates can bypass endpoint protection, and it is not uncommon for cases to go undiscovered for months. On public registries such as npm and PyPI, typosquatting — the practice of publishing malicious packages under names that closely resemble legitimate ones — has been reported repeatedly. A single tainted library can propagate to thousands of projects; this amplification effect is the greatest threat posed by supply chain attacks.

Defensive Thinking

In the context of DevSecOps, the foundational strategy is to incorporate dependency verification from the earliest stages of development, in line with the shift-left principle. The following approaches are becoming established practice:

• Generating and managing an SBOM (Software Bill of Materials): Enumerate all dependencies included in a product and continuously cross-reference them against vulnerability databases.
• Dependency pinning and hash verification: Lock dependency versions using lock files and verify checksums at retrieval time.
• Least-privilege CI/CD design: Avoid granting excessive permissions to build pipelines. The Zero Trust Network Access philosophy applies not only to networks but to build environments as well.
• Automated signature verification: Automatically verify commit signatures and artifact signatures within CI, blocking tampered code before it is merged.

In the author's experience, adopting an SBOM alone — simply by eliminating the state of "not knowing what is included" — dramatically accelerates the identification of blast radius when an incident occurs.

Risks in AI Development

In systems that leverage LLMs, model weight files and training data also become part of the supply chain. A model fine-tuned on a poisoned dataset can generate unintended outputs through a vector entirely distinct from prompt injection. Verifying the trustworthiness of the AI supply chain is even more challenging than it is for conventional software, and the industry as a whole is still in the process of exploring countermeasures.